Russian Espionage Piggybacks on a Cybercriminal’s Hacking

To the F.B.I., Evgeniy M. Bogachev is the most wanted cybercriminal in the world. The bureau has announced a $3 million bounty for his capture, the most ever for computer crimes, and has been trying to track his movements in hopes of grabbing him if he strays outside his home turf in Russia.

He has been indicted in the United States, accused of creating a sprawling network of virus-infected computers to siphon hundreds of millions of dollars from bank accounts around the world, targeting anyone with enough money worth stealing — from a pest control company in North Carolina to a police department in Massachusetts to a Native American tribe in Washington.

In December, the Obama administration announced sanctions against Mr. Bogachev and five others in response to intelligence agencies’ conclusions that Russia had meddled in the presidential election. Publicly, law enforcement officials said it was his criminal exploits that landed Mr. Bogachev on the sanctions list, not any specific role in the hacking of the Democratic National Committee.

But it is clear that for Russia, he is more than just a criminal. At one point, Mr. Bogachev had control over as many as a million computers in multiple countries, with possible access to everything from family vacation photographs and term papers to business proposals and highly confidential personal information. It is almost certain that computers belonging to government officials and contractors in a number of countries were among the infected devices. For Russia’s surveillance-obsessed intelligence community, Mr. Bogachev’s exploits may have created an irresistible opportunity for espionage.

While Mr. Bogachev was draining bank accounts, it appears that the Russian authorities were looking over his shoulder, searching the same computers for files and emails. In effect, they were grafting an intelligence operation onto a far-reaching cybercriminal scheme, sparing themselves the hard work of hacking into the computers themselves, officials said.

The Russians were particularly interested, it seems, in information from military and intelligence services regarding fighting in eastern Ukraine and the war in Syria, according to law enforcement officials and the cybersecurity firm Fox-IT. But there also appear to have been attempts to gain access to sensitive military and intelligence information on infected computers in the United States, often consisting of searches for documents containing the words “top secret” or “Department of Defense.”

The Russian government has plenty of its own cyberspace tools for gathering intelligence. But the piggybacking on Mr. Bogachev’s activities offers some clues to the breadth and creativity of Russia’s espionage efforts at a time when the United States and Europe are scrambling to counter increasingly sophisticated attacks capable of destroying critical infrastructure, disrupting bank operations, stealing government secrets and undermining democratic elections.

This relationship is illustrated by the improbable mix of characters targeted with the sanctions announced by the Obama administration. Four were senior officers with Russia’s powerful military intelligence agency, the G.R.U. Two were suspected cyberthieves on the F.B.I.’s most wanted list: an ethnic Russian from Latvia named Alexsey Belan with a red-tinted Justin Bieber haircut, and Mr. Bogachev, whose F.B.I. file includes a photograph of him holding his spotted Bengal cat while wearing a matching set of leopard-print pajamas.

From Thief to Russian Asset?

His involvement with Russian intelligence may help explain why Mr. Bogachev, 33, is hardly a man on the run. F.B.I. officials say he lives openly in Anapa, a run-down resort town on the Black Sea in southern Russia. He has a large apartment near the shore and possibly another in Moscow, officials say, as well as a collection of luxury cars, though he seems to favor driving his Jeep Grand Cherokee. American investigators say he enjoys sailing and owns a yacht.

Running the criminal scheme was hard work. Mr. Bogachev often complained of being exhausted and “of having too little time for his family,” said Aleksandr Panin, a Russian hacker, now in a federal prison in Kentucky for bank fraud, who used to communicate with Mr. Bogachev online. “He mentioned a wife and two kids as far as I remember,” Mr. Panin wrote in an email.

Beyond that, little is known about Mr. Bogachev, who preferred to operate anonymously behind various screen names: slavik, lucky12345, pollingsoon. Even close business associates never met him in person or knew his real name.

“He was very, very paranoid,” said J. Keith Mularski, an F.B.I. supervisor in Pittsburgh whose investigation of Mr. Bogachev led to an indictment in 2014. “He didn’t trust anybody.”

Russia does not have an extradition treaty with the United States, and Russian officials say that so long as Mr. Bogachev has not committed a crime on Russian territory, there are no grounds to arrest him.

Attempts to reach Mr. Bogachev for this article were unsuccessful. In response to questions, his lawyer in Anapa, Aleksei Stotskii, said, “The fact that he is wanted by the F.B.I. prevents me morally from saying anything.”

A line in Mr. Bogachev’s file with the Ukrainian Interior Ministry, which has helped the F.B.I. track his movements, describes him as “working under the supervision of a special unit of the F.S.B.,” referring to the Federal Security Service, Russia’s main intelligence agency. The F.S.B. did not respond to a request for comment.

That Mr. Bogachev remains at large “is the most powerful argument” that he is an asset of the Russian government, said Austin Berglas, who was an assistant special agent in charge of cyberinvestigations out of the F.B.I.’s New York field office until 2015. Hackers like Mr. Bogachev are “moonlighters,” Mr. Berglas said, “doing the bidding of Russian intelligence services, whether economic espionage or straight-up espionage.”

Such an arrangement offers the Kremlin a convenient cover story and an easy opportunity to take a peek into the extensive networks of computers infected by Russian hackers, security experts say. Russian intelligence agencies also appear to occasionally employ malware tools developed for criminal purposes, including the popular BlackEnergy, to attack the computers of enemy governments. The recent revelations by WikiLeaks about C.I.A. spying tools suggest that the agency also kept a large reference library of hacking kits, some of which appear to have been produced by Russia.

It also hints at a struggle to recruit top talent. A job with the Russian intelligence agencies does not command the prestige it did in the Soviet era. The Russian state has to compete against the dream of six-figure salaries and stock options in Silicon Valley. A recruiting pitch from a few years ago for the Defense Ministry’s cyberwarfare brigade offered college graduates the rank of lieutenant and a bed in a room with four other people.

Image

Former Assistant Attorney General Leslie R. Caldwell, of the Justice Department’s Criminal Division, announced the effort to disrupt GameOver ZeuS in 2014. Criminal charges against Mr. Bogachev were also unsealed.CreditGary Cameron/Reuters

And so the Kremlin at times turns to the “dark web” or Russian-language forums devoted to cyberfraud and spam. Mr. Bogachev, according to court papers from his criminal case, used to sell malicious software on a site called Carding World, where thieves buy and sell stolen credit card numbers and hacking kits, according to the F.B.I. One recent posting offered to sell American credit card information with CVV security numbers for $5. A user named MrRaiX was selling a malware supposedly designed to pilfer passwords from programs like Google Chrome and Outlook Express.

Rather than shut down such sites, as the F.B.I. typically tries to do, Russian intelligence agents appear to have infiltrated them, security experts say.

Some of the forums state specifically that almost any type of criminality is allowed — bank fraud, counterfeiting documents, weapons sales. One of the few rules: no work in Russia or the former Soviet Union. In Carding World, and in many other forums, a violation results in a lifetime ban.

The F.B.I. has long been stymied in its efforts to get Russian cybercriminals. For a time, the bureau had high hopes that its agents and Russian investigators with the F.S.B. would work together to target Russian thieves who had made a specialty of stealing Americans’ credit card information and breaking into their bank accounts. “Here’s to great investigations,” F.B.I. and F.S.B. agents would toast each other at Manhattan steakhouses during periodic trust-building visits, Mr. Berglas said.

But help rarely seemed to materialize. After a while, agents began to worry that the Russian authorities were recruiting the very suspects that the F.B.I. was pursuing. The joke among Justice Department officials was the Russians were more likely to pin a medal on a suspected criminal hacker than help the F.B.I. nab him.

“Almost all the hackers who have been announced by the U.S. government through indictments are immediately tracked by the Russian government,” said Arkady Bukh, a New York-based lawyer who often represents Russian hackers arrested in the United States. “All the time they’re asked to provide logistical and technical support.”

While it was a widely held suspicion, it is tough to prove the connection between cyberthieves and Russian intelligence. But in one case, Mr. Berglas said, F.B.I. agents monitoring an infected computer were surprised to see a hacker who was the target of their investigation share a copy of his passport with a person the F.B.I. believed to be a Russian intelligence agent — a likely signal that the suspect was being recruited or protected. “That was the closest we ever came,” he said.

Fishing for Top Secrets

Mr. Bogachev’s hacking career began well over a decade ago, leading to the creation of a malicious software program called GameOver ZeuS, which he managed with the help of about a half-dozen close associates who called themselves the Business Club, according to the F.B.I. and security researchers. Working around the clock, his criminal gang infected an ever-growing network of computers. It was able to bypass the most advanced banking security measures to quickly empty accounts and transfer the money abroad through a web of intermediaries called money mules. F.B.I. officials said it was the most sophisticated online larceny scheme they had encountered — and for years, it was impenetrable.

Mr. Bogachev became extremely wealthy. At one point, he owned two villas in France and kept a fleet of cars parked around Europe so he would never have to rent a vehicle while on vacation, according to a Ukrainian law enforcement official with knowledge of the Bogachev case, who requested anonymity to discuss the continuing investigation. Officials say he had three Russian passports with different aliases allowing him to travel undercover.

At the height of his operations, Mr. Bogachev had between 500,000 and a million computers under his control, American officials said. And there is evidence that the Russian government took an interest in knowing what was on them.

Beginning around 2011, according to an analysis by Fox-IT, computers under Mr. Bogachev’s control started receiving requests for information — not about banking transactions, but for files relating to various geopolitical developments pulled from the headlines.

Around the time that former President Barack Obama publicly agreed to start sending small arms and ammunition to Syrian rebels, in 2013, Turkish computers infected by Mr. Bogachev’s network were hit with keyword searches that included the terms “weapon delivery” and “arms delivery.” There were also searches for “Russian mercenary” and “Caucasian mercenary,” suggesting concerns about Russian citizens fighting in the war.

Ahead of Russia’s military intervention in Ukraine in 2014, infected computers were searched for information about top-secret files from the country’s main intelligence directorate, the S.B.U. Some of the queries involved searches for personal information about government security officials, including emails from Georgia’s foreign intelligence service, the Turkish Foreign Ministry and others, said Michael Sandee, one of the researchers from Fox-IT.

And at some point between March 2013 and February 2014, there were searches for English-language documents, which seemed to be fishing for American military and intelligence documents. The queries were for terms including “top secret” and “Department of Defense,” said Brett Stone-Gross, a cybersecurity analyst involved in analyzing GameOver ZeuS. “These were in English,” he said. “That was different.”

Cybersecurity experts who studied the case say there is no way to know who ordered the queries. But they were so disconnected from the larceny and fraud that drove Mr. Bogachev’s operation that analysts say there can be no other motive but espionage.

Whether the searches turned up any classified document or sensitive government material is unknown, although the odds are good that there were a number of federal government employees or military contractors with infected personal computers.

“They had such a large number of infections, I would say it’s highly likely they had computers belonging to U.S. government and foreign government employees,” Mr. Stone-Gross said.

In the summer of 2014, the F.B.I., together with law enforcement agencies in over half a dozen countries, carried out Operation Tovar, a coordinated attack on Mr. Bogachev’s criminal infrastructure that shut down his network and liberated computers infected with GameOver ZeuS.

Prosecutors said they were in talks with the Russian government, trying to secure cooperation for the capture of Mr. Bogachev. But the only apparent legal trouble Mr. Bogachev has faced in Russia was a lawsuit filed against him by a real estate company in 2011 over payment of about $75,000 on his apartment in Anapa, according to court papers there. And even that he managed to beat.

These days, officials believe Mr. Bogachev is living under his own name in Anapa and occasionally takes boat trips to Crimea, the Ukrainian peninsula that Russia occupied in 2014. Mr. Mularski, the F.B.I. supervisor, said his agents were “still pursuing leads.”

A version of this article appears in print on , on Page A1 of the New York edition with the headline: Russia Fills Dossiers From Hacker’s Trove. Order Reprints | Today’s Paper | Subscribe